Package org.mozilla.jss.netscape.security.x509

Class X509CertImpl

  • All Implemented Interfaces:
    java.io.Serializable, java.security.cert.X509Extension, DerEncoder
    public class X509CertImpl
extends java.security.cert.X509Certificate
implements java.io.Serializable, DerEncoder
    The X509CertImpl class represents an X.509 certificate. These certificates are widely used to support authentication and other functionality in Internet security systems. Common applications include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL), code signing for trusted software distribution, and Secure Electronic Transactions (SET). There is a commercial infrastructure ready to manage large scale deployments of X.509 identity certificates.

    These certificates are managed and vouched for by Certificate Authorities (CAs). CAs are services which create certificates by placing data in the X.509 standard format and then digitally signing that data. Such signatures are quite difficult to forge. CAs act as trusted third parties, making introductions between agents who have no direct knowledge of each other. CA certificates are either signed by themselves, or by some other CA such as a "root" CA.

    RFC 1422 is very informative, though it does not describe much of the recent work being done with X.509 certificates. That includes a 1996 version (X.509v3) and a variety of enhancements being made to facilitate an explosion of personal certificates used as "Internet Drivers' Licences", or with SET for credit card transactions.

    More recent work includes the IETF PKIX Working Group efforts, especially part 1.

    See Also:
    X509CertInfo, Serialized Form

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description
      protected static class  X509CertImpl.CertificateRep1  

      • Nested classes/interfaces inherited from class java.security.cert.Certificate

        java.security.cert.Certificate.CertificateRep

    • Constructor Summary

      Constructors 
      Constructor Description
      X509CertImpl()
      Default constructor.
      X509CertImpl​(byte[] certData)
      Unmarshals a certificate from its encoded form, parsing the encoded bytes.
      X509CertImpl​(byte[] certData, X509CertInfo certInfo)
      As a special optimization, this constructor acts as X509CertImpl(byte[]) except that it takes an X509CertInfo which it uses as a 'hint' for how to construct one field.
      X509CertImpl​(java.io.InputStream in)
      unmarshals an X.509 certificate from an input stream.
      X509CertImpl​(DerValue derVal)
      Unmarshal a certificate from its encoded form, parsing a DER value.
      X509CertImpl​(X509CertInfo certInfo)
      Construct an initialized X509 Certificate.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void checkValidity()
      Checks that the certificate is currently valid, i.e. the current time is within the specified validity period.
      void checkValidity​(java.util.Date date)
      Checks that the specified date is within the certificate's validity period, or basically if the certificate would be valid at the specified date/time.
      void decode​(java.io.InputStream in)
      Decode an X.509 certificate from an input stream.
      void delete​(java.lang.String name)
      Delete the requested attribute from the certificate.
      void derEncode​(java.io.OutputStream out)
      DER encode this object onto an output stream.
      void encode​(java.io.OutputStream out)
      Appends the certificate to an output stream.
      java.lang.Object get​(java.lang.String name)
      Return the requested attribute from the certificate.
      int getBasicConstraints()
      Get the certificate constraints path length from the the critical BasicConstraints extension, (oid = 2.5.29.19).
      boolean getBasicConstraintsIsCA()  
      java.util.Set<java.lang.String> getCriticalExtensionOIDs()
      Gets a Set of the extension(s) marked CRITICAL in the certificate by OID strings.
      java.util.Enumeration<java.lang.String> getElements()
      Return an enumeration of names of attributes existing within this attribute.
      byte[] getEncoded()
      Returns the encoded form of this certificate.
      Extension getExtension​(java.lang.String oid)  
      byte[] getExtensionValue​(java.lang.String oid)
      Gets the DER encoded extension identified by the passed in oid String.
      X509CertInfo getInfo()  
      java.security.Principal getIssuerDN()
      Gets the issuer distinguished name from the certificate.
      CertificateIssuerName getIssuerObj()  
      boolean[] getIssuerUniqueID()
      Gets the Issuer Unique Identity from the certificate.
      boolean[] getKeyUsage()
      Get a boolean array representing the bits of the KeyUsage extension, (oid = 2.5.29.15).
      java.lang.String getName()
      Return the name of this attribute.
      java.util.Set<java.lang.String> getNonCriticalExtensionOIDs()
      Gets a Set of the extension(s) marked NON-CRITICAL in the certificate by OID strings.
      java.util.Date getNotAfter()
      Gets the notAfter date from the validity period of the certificate.
      java.util.Date getNotBefore()
      Gets the notBefore date from the validity period of the certificate.
      java.security.PublicKey getPublicKey()
      Gets the publickey from this certificate.
      java.math.BigInteger getSerialNumber()
      Gets the serial number from the certificate.
      java.lang.String getSigAlgName()
      Gets the signature algorithm name for the certificate signature algorithm.
      java.lang.String getSigAlgOID()
      Gets the signature algorithm OID string from the certificate.
      byte[] getSigAlgParams()
      Gets the DER encoded signature algorithm parameters from this certificate's signature algorithm.
      byte[] getSignature()
      Gets the raw Signature bits from the certificate.
      java.security.Principal getSubjectDN()
      Gets the subject distinguished name from the certificate.
      CertificateSubjectName getSubjectObj()  
      boolean[] getSubjectUniqueID()
      Gets the Subject Unique Identity from the certificate.
      byte[] getTBSCertificate()
      Gets the DER encoded certificate informations, the tbsCertificate from this certificate.
      int getVersion()
      Gets the version number from the certificate.
      boolean hasUnsupportedCriticalExtension()  
      void set​(java.lang.String name, java.lang.Object obj)
      Set the requested attribute in the certificate.
      void sign​(java.security.PrivateKey key, java.lang.String algorithm)
      Creates an X.509 certificate, and signs it using the key passed (associating a signature algorithm and an X.500 name).
      void sign​(java.security.PrivateKey key, java.lang.String algorithm, java.lang.String provider)
      Creates an X.509 certificate, and signs it using the key passed (associating a signature algorithm and an X.500 name).
      java.lang.String toString()
      Returns a printable representation of the certificate.
      void verify​(java.security.PublicKey key)
      Throws an exception if the certificate was not signed using the verification key provided.
      void verify​(java.security.PublicKey key, java.lang.String sigProvider)
      Throws an exception if the certificate was not signed using the verification key provided.
      protected java.lang.Object writeReplace()  

      • Methods inherited from class java.security.cert.X509Certificate

        getExtendedKeyUsage, getIssuerAlternativeNames, getIssuerX500Principal, getSubjectAlternativeNames, getSubjectX500Principal, verify

      • Methods inherited from class java.security.cert.Certificate

        equals, getType, hashCode

      • Methods inherited from class java.lang.Object

        clone, finalize, getClass, notify, notifyAll, wait, wait, wait

    • Constructor Detail

      • X509CertImpl

        public X509CertImpl()
        Default constructor.

      • X509CertImpl

        public X509CertImpl​(byte[] certData)
             throws java.security.cert.CertificateException
        Unmarshals a certificate from its encoded form, parsing the encoded bytes. This form of constructor is used by agents which need to examine and use certificate contents. That is, this is one of the more commonly used constructors. Note that the buffer must include only a certificate, and no "garbage" may be left at the end. If you need to ignore data at the end of a certificate, use another constructor.
        Parameters:
        certData - the encoded bytes, with no trailing padding.
        Throws:
        java.security.cert.CertificateException - on parsing and initialization errors.

      • X509CertImpl

        public X509CertImpl​(byte[] certData,
                    X509CertInfo certInfo)
             throws java.security.cert.CertificateException
        As a special optimization, this constructor acts as X509CertImpl(byte[]) except that it takes an X509CertInfo which it uses as a 'hint' for how to construct one field.
        Parameters:
        certData - the encode bytes, with no traiing padding
        certInfo - the certInfo which has already been constructed from the certData
        Throws:
        java.security.cert.CertificateException

      • X509CertImpl

        public X509CertImpl​(java.io.InputStream in)
             throws java.security.cert.CertificateException
        unmarshals an X.509 certificate from an input stream.
        Parameters:
        in - an input stream holding at least one certificate
        Throws:
        java.security.cert.CertificateException - on parsing and initialization errors.

      • X509CertImpl

        public X509CertImpl​(X509CertInfo certInfo)
        Construct an initialized X509 Certificate. The certificate is stored in raw form and has to be signed to be useful.
        Parameters:
        certInfo - the X509CertificateInfo which the Certificate is to be created from.

      • X509CertImpl

        public X509CertImpl​(DerValue derVal)
             throws java.security.cert.CertificateException
        Unmarshal a certificate from its encoded form, parsing a DER value. This form of constructor is used by agents which need to examine and use certificate contents.
        Parameters:
        derVal - the der value containing the encoded cert.
        Throws:
        java.security.cert.CertificateException - on parsing and initialization errors.

    • Method Detail

      • hasUnsupportedCriticalExtension

        public boolean hasUnsupportedCriticalExtension()
        Specified by:
        hasUnsupportedCriticalExtension in interface java.security.cert.X509Extension

      • decode

        public void decode​(java.io.InputStream in)
            throws java.security.cert.CertificateException,
                   java.io.IOException
        Decode an X.509 certificate from an input stream.
        Parameters:
        in - an input stream holding at least one certificate
        Throws:
        java.security.cert.CertificateException - on parsing errors.
        java.io.IOException - on other errors.

      • encode

        public void encode​(java.io.OutputStream out)
            throws java.security.cert.CertificateEncodingException
        Appends the certificate to an output stream.
        Parameters:
        out - an input stream to which the certificate is appended.
        Throws:
        java.security.cert.CertificateEncodingException - on encoding errors.

      • derEncode

        public void derEncode​(java.io.OutputStream out)
               throws java.io.IOException
        DER encode this object onto an output stream. Implements the DerEncoder interface.
        Specified by:
        derEncode in interface DerEncoder
        Parameters:
        out - the output stream on which to write the DER encoding.
        Throws:
        java.io.IOException - on encoding error.

      • getEncoded

        public byte[] getEncoded()
                  throws java.security.cert.CertificateEncodingException
        Returns the encoded form of this certificate. It is assumed that each certificate type would have only a single form of encoding; for example, X.509 certificates would be encoded as ASN.1 DER.
        Specified by:
        getEncoded in class java.security.cert.Certificate
        Throws:
        java.security.cert.CertificateEncodingException - if an encoding error occurs.

      • verify

        public void verify​(java.security.PublicKey key)
            throws java.security.cert.CertificateException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.NoSuchProviderException,
                   java.security.SignatureException
        Throws an exception if the certificate was not signed using the verification key provided. Successfully verifying a certificate does not indicate that one should trust the entity which it represents.
        Specified by:
        verify in class java.security.cert.Certificate
        Parameters:
        key - the public key used for verification.
        Throws:
        java.security.InvalidKeyException - on incorrect key.
        java.security.NoSuchAlgorithmException - on unsupported signature algorithms.
        java.security.NoSuchProviderException - if there's no default provider.
        java.security.SignatureException - on signature errors.
        java.security.cert.CertificateException - on encoding errors.

      • verify

        public void verify​(java.security.PublicKey key,
                   java.lang.String sigProvider)
            throws java.security.cert.CertificateException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.NoSuchProviderException,
                   java.security.SignatureException
        Throws an exception if the certificate was not signed using the verification key provided. Successfully verifying a certificate does not indicate that one should trust the entity which it represents.
        Specified by:
        verify in class java.security.cert.Certificate
        Parameters:
        key - the public key used for verification.
        sigProvider - the name of the provider.
        Throws:
        java.security.NoSuchAlgorithmException - on unsupported signature algorithms.
        java.security.InvalidKeyException - on incorrect key.
        java.security.NoSuchProviderException - on incorrect provider.
        java.security.SignatureException - on signature errors.
        java.security.cert.CertificateException - on encoding errors.

      • sign

        public void sign​(java.security.PrivateKey key,
                 java.lang.String algorithm)
          throws java.security.cert.CertificateException,
                 java.security.NoSuchAlgorithmException,
                 java.security.InvalidKeyException,
                 java.security.NoSuchProviderException,
                 java.security.SignatureException
        Creates an X.509 certificate, and signs it using the key passed (associating a signature algorithm and an X.500 name). This operation is used to implement the certificate generation functionality of a certificate authority.
        Parameters:
        key - the private key used for signing.
        algorithm - the name of the signature algorithm used.
        Throws:
        java.security.InvalidKeyException - on incorrect key.
        java.security.NoSuchAlgorithmException - on unsupported signature algorithms.
        java.security.NoSuchProviderException - if there's no default provider.
        java.security.SignatureException - on signature errors.
        java.security.cert.CertificateException - on encoding errors.

      • sign

        public void sign​(java.security.PrivateKey key,
                 java.lang.String algorithm,
                 java.lang.String provider)
          throws java.security.cert.CertificateException,
                 java.security.NoSuchAlgorithmException,
                 java.security.InvalidKeyException,
                 java.security.NoSuchProviderException,
                 java.security.SignatureException
        Creates an X.509 certificate, and signs it using the key passed (associating a signature algorithm and an X.500 name). This operation is used to implement the certificate generation functionality of a certificate authority.
        Parameters:
        key - the private key used for signing.
        algorithm - the name of the signature algorithm used.
        provider - the name of the provider.
        Throws:
        java.security.NoSuchAlgorithmException - on unsupported signature algorithms.
        java.security.InvalidKeyException - on incorrect key.
        java.security.NoSuchProviderException - on incorrect provider.
        java.security.SignatureException - on signature errors.
        java.security.cert.CertificateException - on encoding errors.

      • checkValidity

        public void checkValidity()
                   throws java.security.cert.CertificateExpiredException,
                          java.security.cert.CertificateNotYetValidException
        Checks that the certificate is currently valid, i.e. the current time is within the specified validity period.
        Specified by:
        checkValidity in class java.security.cert.X509Certificate
        Throws:
        java.security.cert.CertificateExpiredException - if the certificate has expired.
        java.security.cert.CertificateNotYetValidException - if the certificate is not yet valid.

      • checkValidity

        public void checkValidity​(java.util.Date date)
                   throws java.security.cert.CertificateExpiredException,
                          java.security.cert.CertificateNotYetValidException
        Checks that the specified date is within the certificate's validity period, or basically if the certificate would be valid at the specified date/time.
        Specified by:
        checkValidity in class java.security.cert.X509Certificate
        Parameters:
        date - the Date to check against to see if this certificate is valid at that date/time.
        Throws:
        java.security.cert.CertificateExpiredException - if the certificate has expired with respect to the date supplied.
        java.security.cert.CertificateNotYetValidException - if the certificate is not yet valid with respect to the date supplied.

      • get

        public java.lang.Object get​(java.lang.String name)
                     throws java.security.cert.CertificateParsingException
        Return the requested attribute from the certificate.
        Parameters:
        name - the name of the attribute.
        Throws:
        java.security.cert.CertificateParsingException - on invalid attribute identifier.

      • set

        public void set​(java.lang.String name,
                java.lang.Object obj)
         throws java.security.cert.CertificateException,
                java.io.IOException
        Set the requested attribute in the certificate.
        Parameters:
        name - the name of the attribute.
        obj - the value of the attribute.
        Throws:
        java.security.cert.CertificateException - on invalid attribute identifier.
        java.io.IOException - on encoding error of attribute.

      • delete

        public void delete​(java.lang.String name)
            throws java.security.cert.CertificateException,
                   java.io.IOException
        Delete the requested attribute from the certificate.
        Parameters:
        name - the name of the attribute.
        Throws:
        java.security.cert.CertificateException - on invalid attribute identifier.
        java.io.IOException - on other errors.

      • getElements

        public java.util.Enumeration<java.lang.String> getElements()
        Return an enumeration of names of attributes existing within this attribute.

      • getName

        public java.lang.String getName()
        Return the name of this attribute.

      • toString

        public java.lang.String toString()
        Returns a printable representation of the certificate. This does not contain all the information available to distinguish this from any other certificate. The certificate must be fully constructed before this function may be called.
        Specified by:
        toString in class java.security.cert.Certificate

      • getPublicKey

        public java.security.PublicKey getPublicKey()
        Gets the publickey from this certificate.
        Specified by:
        getPublicKey in class java.security.cert.Certificate
        Returns:
        the publickey.

      • getVersion

        public int getVersion()
        Gets the version number from the certificate.
        Specified by:
        getVersion in class java.security.cert.X509Certificate
        Returns:
        the version number.

      • getSerialNumber

        public java.math.BigInteger getSerialNumber()
        Gets the serial number from the certificate.
        Specified by:
        getSerialNumber in class java.security.cert.X509Certificate
        Returns:
        the serial number.

      • getSubjectDN

        public java.security.Principal getSubjectDN()
        Gets the subject distinguished name from the certificate.
        Specified by:
        getSubjectDN in class java.security.cert.X509Certificate
        Returns:
        the subject name.

      • getIssuerDN

        public java.security.Principal getIssuerDN()
        Gets the issuer distinguished name from the certificate.
        Specified by:
        getIssuerDN in class java.security.cert.X509Certificate
        Returns:
        the issuer name.

      • getNotBefore

        public java.util.Date getNotBefore()
        Gets the notBefore date from the validity period of the certificate.
        Specified by:
        getNotBefore in class java.security.cert.X509Certificate
        Returns:
        the start date of the validity period.

      • getNotAfter

        public java.util.Date getNotAfter()
        Gets the notAfter date from the validity period of the certificate.
        Specified by:
        getNotAfter in class java.security.cert.X509Certificate
        Returns:
        the end date of the validity period.

      • getTBSCertificate

        public byte[] getTBSCertificate()
                         throws java.security.cert.CertificateEncodingException
        Gets the DER encoded certificate informations, the tbsCertificate from this certificate. This can be used to verify the signature independently.
        Specified by:
        getTBSCertificate in class java.security.cert.X509Certificate
        Returns:
        the DER encoded certificate information.
        Throws:
        java.security.cert.CertificateEncodingException - if an encoding error occurs.

      • getSignature

        public byte[] getSignature()
        Gets the raw Signature bits from the certificate.
        Specified by:
        getSignature in class java.security.cert.X509Certificate
        Returns:
        the signature.

      • getSigAlgName

        public java.lang.String getSigAlgName()
        Gets the signature algorithm name for the certificate signature algorithm. For example, the string "SHA-1/DSA" or "DSS".
        Specified by:
        getSigAlgName in class java.security.cert.X509Certificate
        Returns:
        the signature algorithm name.

      • getSigAlgOID

        public java.lang.String getSigAlgOID()
        Gets the signature algorithm OID string from the certificate. For example, the string "1.2.840.10040.4.3"
        Specified by:
        getSigAlgOID in class java.security.cert.X509Certificate
        Returns:
        the signature algorithm oid string.

      • getSigAlgParams

        public byte[] getSigAlgParams()
        Gets the DER encoded signature algorithm parameters from this certificate's signature algorithm.
        Specified by:
        getSigAlgParams in class java.security.cert.X509Certificate
        Returns:
        the DER encoded signature algorithm parameters, or null if no parameters are present.

      • getIssuerUniqueID

        public boolean[] getIssuerUniqueID()
        Gets the Issuer Unique Identity from the certificate.
        Specified by:
        getIssuerUniqueID in class java.security.cert.X509Certificate
        Returns:
        the Issuer Unique Identity.

      • getSubjectUniqueID

        public boolean[] getSubjectUniqueID()
        Gets the Subject Unique Identity from the certificate.
        Specified by:
        getSubjectUniqueID in class java.security.cert.X509Certificate
        Returns:
        the Subject Unique Identity.

      • getCriticalExtensionOIDs

        public java.util.Set<java.lang.String> getCriticalExtensionOIDs()
        Gets a Set of the extension(s) marked CRITICAL in the certificate by OID strings.
        Specified by:
        getCriticalExtensionOIDs in interface java.security.cert.X509Extension
        Returns:
        a set of the extension oid strings in the certificate that are marked critical.

      • getNonCriticalExtensionOIDs

        public java.util.Set<java.lang.String> getNonCriticalExtensionOIDs()
        Gets a Set of the extension(s) marked NON-CRITICAL in the certificate by OID strings.
        Specified by:
        getNonCriticalExtensionOIDs in interface java.security.cert.X509Extension
        Returns:
        a set of the extension oid strings in the certificate that are NOT marked critical.

      • getExtension

        public Extension getExtension​(java.lang.String oid)

      • getExtensionValue

        public byte[] getExtensionValue​(java.lang.String oid)
        Gets the DER encoded extension identified by the passed in oid String.
        Specified by:
        getExtensionValue in interface java.security.cert.X509Extension
        Parameters:
        oid - the Object Identifier value for the extension.

      • getKeyUsage

        public boolean[] getKeyUsage()
        Get a boolean array representing the bits of the KeyUsage extension, (oid = 2.5.29.15).
        Specified by:
        getKeyUsage in class java.security.cert.X509Certificate
        Returns:
        the bit values of this extension as an array of booleans.

      • getBasicConstraints

        public int getBasicConstraints()
        Get the certificate constraints path length from the the critical BasicConstraints extension, (oid = 2.5.29.19).
        Specified by:
        getBasicConstraints in class java.security.cert.X509Certificate
        Returns:
        the length of the constraint.

      • getBasicConstraintsIsCA

        public boolean getBasicConstraintsIsCA()

      • writeReplace

        protected java.lang.Object writeReplace()
                                 throws java.io.ObjectStreamException
        Overrides:
        writeReplace in class java.security.cert.Certificate
        Throws:
        java.io.ObjectStreamException